This topic describes the syntax and parameters of event check functions. This topic also provides examples on how to use the functions.
Functions
Category | Function | Description |
---|---|---|
Basic function | e_has | Checks whether a log field exists. |
e_not_has | Checks whether a log field does not exist.
This function can be used together with other functions. For more information, see Cleanse data by using functions. |
|
Expression function | e_search | Searches for an event by using a query syntax that is similar to Lucene.
This function can be used together with other functions. For more information, see Cleanse data by using functions. |
e_match | Checks whether the value of a log field meets the conditions specified in a regular
expression.
This function can be used together with other functions. For more information, see Cleanse data by using functions. |
|
e_match_any | Checks whether the value of a log field meets the conditions specified in a regular expression. If one or more specified fields match the regular expression, True is returned. Otherwise, False is returned. | |
e_match_all | Checks whether the value of a log field meets the conditions specified in a regular expression. If all specified fields match the regular expression, True is returned. Otherwise, False is returned. |
Category | Function | Description |
---|---|---|
Logical function | op_and | Invokes the AND operation. |
op_or | Invokes the OR operation. | |
op_not | Invokes the NOT operation. | |
op_nullif | Checks whether the values of two expressions are equal. | |
op_ifnull | Returns the value of the first expression whose value is not None. | |
op_coalesce | Returns the value of the first expression whose value is not None. |
e_has
The function is used to check whether a log field exists.-
Syntax
e_has("key")
-
Parameters
Parameter Type Required Description key String Yes The name of the log field. -
Response
If the specified field exists, True is returned. Otherwise, False is returned.
-
Examples
Check whether a log contains the content field. If the log contains the content field, the log is retained. Otherwise, the log is dropped.- Raw log:
content: 123
- Transformation rule:
e_keep(e_has("content"))
- Result:
content: 123
- Raw log:
e_not_has
The function is used to check whether a log field does not exist.-
Syntax
e_not_has("key")
-
Parameters
Parameter Type Required Description key String Yes The name of the log field. -
Response
If the specified field does not exist, True is returned. Otherwise, False is returned.
-
Examples
Check whether a log contains the content field. If the log does not contain the content field, the log is retained. Otherwise, the log is dropped.
- Raw log:
content: 123
- Transformation rule:
e_if_else(e_not_has("content"),KEEP,DROP)
- Result:
The log is dropped.
- Raw log:
-
Other use cases
This function can be used together with other functions. For more information, see Cleanse data by using functions.
e_search
The function is used to search for an event by using a query syntax that is similar to Lucene.-
Syntax
e_search(querystring)
-
Parameters
Parameter Type Required Description querystring String Yes The query string that you want to use to filter log data. For more information, see Query string syntax. -
Response
If the specified conditions are met, True is returned. Otherwise, False is returned.
-
Examples
# Full-text search e_search("active error") # Search for multiple substrings in full text. The substrings are associated with each other by using the logical operator OR. e_search('"active error"') # Search for a substring in full text. # Field search e_search("status: active") # Search for a substring in a specified field. e_search('author: "john smith"') # Searches for a substring that contains a space character in a specified field. e_search('field: active error') # Search the specified field for the substring "active" or searches all logs for the substring "error". The query string in this example is equivalent to field:active OR "error". # Exact match e_search('author== "john smith"') # Search for field values by using wildcard characters. You can use an asterisk (*) to match zero or more characters. You can use a question mark (?) to match one character. e_search("status: active*test") #
active*test
contains one asterisk (*). You do not need to enclose the value in double quotation marks (""). e_search("status: active?good") #active?good
contains one question mark (?). You do not need to enclose the value in double quotation marks (""). e_search("status== ac*tive?good") # The query string is used for exact match. # Escape special characters in a field value. Asterisks (*) or question marks (?) that are not used as wildcards must be escaped in a field value by using backslashes (\). e_search('status: "\*\?()[]:="') #\*\?()[]:=
contains multiple special characters. You must enclose the value in double quotation marks (""). The asterisks (*), question marks (?), and backslashes (\) in the value are escaped. e_search("status: active\*test") #active\*test
contains one asterisk (*). You do not need to enclose the value in double quotation marks (""). e_search("status: active\* test") #active\*test
contains one question mark (?). You do not need to enclose the value in double quotation marks (""). # Escape special characters in a field name e_search("\*\(1+1\)\?: abc") # You cannot enclose the field name in double quotation marks (""). You must escape special characters by using backslashes (\). e_search("__tag__\:__container_name__: abc") # You must escape special characters by using backslashes (\). e_search("field name in Chinese: abc") # Enter the Chinese characters that comprise the field name. # Search for strings by using regular expressions. e_search('content~="regular expression"') # Search for substrings that match the regular expression. # Numeric value comparison e_search('count: [100, 200]') # >=100 and <=200 e_search('count: [*, 200]') # <=200 e_search('count: [200, *]') # >=200 e_search('age >= 18') # >= 18 e_search('age > 18') # > 18 # Relational operators e_search("abc OR xyz") # The relational operator is case-insensitive. e_search("abc and (xyz or zzz)") e_search("abc and not (xyz and not zzz)") e_search("abc && xyz") # and e_search("abc || xyz") # or e_search("abc || !xyz") # or not -
Other use cases
This function can be used together with other functions. For more information, see Cleanse data by using functions.
e_match
The function is used to check whether the value of a log field meets the conditions specified in an expression.-
Syntax
e_match(key, regular_expression, full=True)
Note In most cases, the e_match function is used together with theop_not
,op_and
, orop_or
function. -
Parameters
Parameter Type Required Description key String Yes The name of the log field. If the specified field does not exist, the field does not meet the specified condition. For example, if the
f1
field does not exist, thee_match("f1", ...)
function returns False.regular_expression String Yes The regular expression. If you want to match strings by using string literals, you can use the str_regex_escape
function to escape characters.full Bool No Specifies whether to perform an exact match. By default, the parameter is set to True, which specifies an exact match. For more information, see Regular expressions. -
Response
If the specified field matches the regular expression, True is returned. Otherwise, False is returned.
-
Examples
Check whether the value of the k1 field is a number.- Raw log:
k1: 123
- Transformation rule:
e_set("match",e_match("k1",r'\d+'))
- Result:
k1: 123 match: True
- Raw log:
-
Other use cases
This function can be used together with other functions. For more information, see Cleanse data by using functions.
e_match_any
The function is used to check whether the value of a log field meets the conditions specified in a regular expression. If one or more specified fields match the regular expression, True is returned. Otherwise, False is returned.-
Syntax
e_match_any(key1, regular_expression1, key2, regular_expression2, ..., full=True)
Note- The
key
andregular_expression
parameters must be specified in pairs. - In most cases, the e_match_any function is used together with the
op_not
,op_and
, orop_or
function.
- The
-
Parameters
Parameter Type Required Description key String Yes The name of the log field. If the specified field does not exist, the field does not meet the specified condition. For example, if the
f1
field does not exist, thee_match_any("f1", ...)
function returns False.regular_expression String Yes The regular expression. If you want to match strings by using string literals, you can use the str_regex_escape
function to escape characters.full Bool No Specifies whether to perform an exact match. The default value True specifies an exact match. For more information, see Regular expressions. -
Response
If the specified field matches the regular expression, True is returned. Otherwise, False is returned.
-
Examples
Check whether the value of a log field meets the conditions specified in a regular expression. If one or more specified fields match the regular expression, True is returned.- Raw log:
k1: 123 k2: abc k3: abc123
- Transformation rule:
e_set("match",e_match_any('k1', r'\d+', 'k2', '.+'))
- Result:
k1:123 k2:abc k3:abc123 match:true
- Raw log:
-
Other use cases
This function can be used together with other functions. For more information, see Cleanse data by using functions.
e_match_all
The function is used to check whether the value of a log field meets the conditions specified in a regular expression. If all specified fields match the regular expression, True is returned. Otherwise, False is returned.-
Syntax
e_match_all(key1, regular_expression1, key2, regular_expression2, ..., full=True)
Note- The
key
andregular_expression
parameters must be specified in pairs. - In most cases, the e_match_all function is used together with the
op_not
,op_and
, orop_or
function.
- The
-
Parameters
Parameter Type Required Description key String Yes The name of the log field. If the specified field does not exist, the field does not meet the specified condition. For example, if the
f1
field does not exist, thee_match_all("f1", ...)
function returns False.regular_expression String Yes The regular expression. If you want to match strings by using string literals, you can use the str_regex_escape
function to escape characters.full Bool No Specifies whether to perform an exact match. By default, the parameter is set to True, which specifies an exact match. For more information, see Regular expressions. -
Response
If the specified field matches the regular expression, True is returned. Otherwise, False is returned.
-
Examples
- Raw log:
k1: 123 k2: abc k3: abc123
- Transformation rule:
e_set("match", e_match_all("k1", r"\d+", "k2", r"\d+"))
- Result:
k1:123 k2:abc k3:abc123 match:false
- Raw log:
-
Other use cases
This function can be used together with other functions. For more information, see Cleanse data by using functions.